Trends in Major Data Breaches

A study of 495 major breaches of protected health information listed on a public federal government Web site during the past three years finds little improvement to the industry’s susceptibility to certain types of breaches. Hospitals and insurers, however, have reduced their major breaches.

The Health Information Trust Alliance, an industry stakeholder consortium known as HITRUST, conducted the study. The HHS Office for Civil Rights lists the major breaches, which have topped 500 since the study was done, and the study does not account for tens of thousands of smaller breaches. The 495 breaches that HITRUST looked at affected 21 million records and cost $4 billion, the group estimates.

Major breaches at hospitals and delivery systems fell 71 percent from 2010 to 2011, according to the study, and this segment had only 14 major breaches during the first half of 2012, compared with 48 for all of 2011. Major breaches at health plans have steadily fallen since 2009 and there have been no postings since the first quarter of 2012.

Physician practices, however, haven’t demonstrated such progress. Smaller practices account for more than 60 percent of all practice breaches. “As the interconnectivity of organizations increases through community health records and health information exchanges, small practices may pose a new and significant risk to larger entities that have begun to get a handle on security and privacy,” according to HITRUST.

Other study findings include: Missing laptops and paper records are the leading causes of breaches; business associates account for 21 percent of breaches and 58 percent of all breached records; and the average time to notify HHS and patients is 68 days after discovery of a breach, which is beyond the 60 days required under law.